Blog Post

Microsoft Defender for Cloud Blog
7 MIN READ

Proacting Hunting with Cloud Security Explorer in Defender for Cloud

gastori's avatar
gastori
Iron Contributor
Feb 22, 2023

Introduction

In our previous blog “A Proactive Approach to Cloud Security Posture Management with Microsoft Defender for Cloud,” Yuri Diogenes emphasized the importance of proactive security posture management and outlined a successful organizational structure for security teams. He delved into the core elements of posture management, including monitoring secure score improvement, enforcing governance rules, and engaging in proactive hunting.

Building on that discussion, we now turn our attention to the vital aspect of proactive hunting in this follow-up article. Our goal is to provide technical insights and practical tips for reducing the attack surface and minimizing the risk of compromise through proactive hunting in cloud environments.

This article will demonstrate how you can utilize Microsoft Defender for Cloud's Security Explorer to conduct proactive hunting in cloud environments with maximum efficiency.

 

Use Case Scenarios

Scenario 1 - Azure Virtual Machine exposed to a public network such as the Internet with high vulnerabilities and loose permissions.

As cloud technology continues to advance, virtual machines (VMs) face increasing threats from public networks like the internet. This presents a major challenge, especially considering that VMs frequently host sensitive applications and data. To address this risk, it is vital for organizations to identify vulnerabilities in their VMs and ensure they are not accessible from the internet.

For this fictitious scenario, let us use a company that developed a popular cloud-based application used by millions of users around the world. The application stores sensitive information, such as login credentials and financial data, and must always remain secure. However, as the application gains widespread adoption, the security team is faced with a new challenge.

The servers hosting the application are now exposed to the internet and vulnerable to a variety of security threats. If an attacker successfully exploits these vulnerabilities, they could move laterally to other resources such as key vaults, databases, and storage accounts, potentially resulting in a devastating data breach.

The team must take proactive steps to identify and mitigate these risks before they can be exploited.

To address this risk, the security team decides to take a proactive approach and evaluate their environment for potential security risks. They turn to Defender for Cloud and its Cloud Security Explorer capability, which gives them the ability to assess their cloud environment's overall security posture, including the configuration of their servers.

The security engineer builds a query to identify all servers that are exposed to the internet and vulnerable to remote code execution (RCE) (Figure 1 [1], [2], [3]). To get a complete understanding of the security posture of these internet-exposed virtual machines, the engineer expands the query to check if any of the virtual machines have a system identity with permission to access Azure Key Vaults, SQL Databases, and Storage Accounts (Figure 1 [4]).

This comprehensive view of the virtual machine's security helps the company to remediate any risks before they are exploited, preventing data breaches and unauthorized access.

With these measures in place, the company can have peace of mind knowing their sensitive information is protected.

In the following picture you can see and follow the query mentioned above, and the results produced by the search (Figure 1 [5]).

 

The output from the query in Defender for Cloud - Cloud Security Explorer provides more than just a list of virtual machines that match the criteria. The results allow the engineer to thoroughly examine each record and gain valuable security insights related to the virtual machine.

By selecting a record, a side panel will expand, offering a deep dive into the details of the virtual machine. This includes all resources attached to the result (Figure 2 [1]), as well as information about the environment (such as the cloud provider and resource group, if the environment is Azure) (Figure 2 [2]). Additionally, the network insights related to the virtual machine's exposure to the internet (Figure 2 [3]), as well as any vulnerabilities found on the server and their potential for remote code execution, can be reviewed (Figure 3 [1]).

Importantly, the results also provide information regarding the Key Vault, SQL DB, or Storage Account the Server has access to (Figure 3-1 [1]).

 

 

Here a graphical representation of the process executed during the risk analysis for this use-case:

 

 

 

Scenario 2 - AWS EC2 Instance Virtual Machine exposed to a public network such as the Internet with high vulnerabilities such as RCE, OMI, OpenSSL.

Now let us explore a company that operates an e-commerce platform where they store sensitive customer information, such as credit card numbers and addresses, on their AWS cloud servers. To safeguard this information, the security team chose to encrypt all customer-server communications using OpenSSL. However, the team recently learned of critical vulnerabilities in OpenSSL, namely CVE-2022-3602 and CVE-2022-3786, which could result in a Denial-of-Service attack if a maliciously crafted certificate were sent to a server during client authentication. To compound the issue, the team also discovered that their e-commerce platform could be vulnerable to Remote Code Execution, thanks to an outdated version of OMI (Open Management Infrastructure) being used to manage the servers.

The security team must proactively search for any servers that could be impacted by the identified security risks. Fortunately, they have recently onboarded their AWS account into Defender for Cloud, utilizing its native multicloud connector and enabled Defender for CSPM. This allows them to leverage Defender Cloud Security Explorer for their search and assess their EC2 instances for exposure to the aforementioned security risks.

By utilizing Defender Cloud Security Explorer, the security team can quickly identify VMs that are susceptible to security threats and attacks. With these proactive measures in place, the security team can effectively prevent data breaches, unauthorized access, and other security incidents from occurring.

The query begins with the resource "EC2 Instance" (Figure 4 [1]) and the filter that evaluates if any servers are exposed to the internet (Figure 4[2]). To assess the OpenSSL and OMI vulnerabilities, the query checks for vulnerabilities with the specified CVE Identifiers (Figure 4 [3]):

  • OMI: CVE-2021-3845; CVE-2021-38647; CVE-2021-38648; CVE-2021-38649
  • OpenSSl: CVE-2022-3786; CVE-2022-3602

Fortunately, the results showed that no servers were found to be exposed to these security risks. If any vulnerabilities were identified, the security team could utilize the result insights to mitigate each risk by following the recommendations provided in the insights.

Here a picture of the query was built for this use-case:

 

Here a graphical representation of the process executed during the risk analysis for this use-case:

 

 

Scenario 3 - Shifting security to the left - GitHub repositories exposing secrets and code vulnerable to exploits

As a software engineer, you understand the crucial role you play in maintaining the security of code stored in your GitHub repositories. With the widespread reliance on open-source code, security vulnerabilities can be easily exploited and cause significant harm.

Alarmed by the potential security risks posed by your repositories, the security team launches a proactive search for any vulnerabilities and misconfigurations. To address these risks, the team has decided to implement the following recommended measures:

  1. Enable Dependency Vulnerability Scanning: To keep track of any vulnerabilities in dependencies and quickly receive alerts about any potential security issues, giving the team the opportunity to resolve them before they are exploited.
  2. Turn on Dependabot Scanning: This automatically creates pull requests to update dependencies when new vulnerabilities are found, ensuring the code remains secure.
  3. Enable Code Scanning: To detect any security issues in the code and identify potential security vulnerabilities, giving the team the chance to address them before attackers discover them.
  4. Enable Secret Scanning: To detect any secrets that may have been exposed in the repositories and take appropriate action to secure them before they fall into the wrong hands.

The security team turns to Defender for Cloud – Cloud Security Explorer to search for the above security risks and misconfigurations. The query starts with GitHub as the resource of focus (Figure 5 [1]), followed by checking if any repositories are exposed publicly (Figure 5 [2]). Then, the query searches for “Unhealthy” recommendations to evaluate if any of the following are found (Figure 5 [3]):

  • Code repository should have dependency vulnerability scanning finding resolved
  • Github repository should have dependabot scanning enabled
  • Github repository should have code scanning enabled
  • Github repositories should have secret scanning enabled.

The result of this query listed two GitHub repositories exposed publicly not meeting some of the recommendations (Figure 5 [4]).

The security team exams the results (Figure 6) and initiates a plan of actions to mitigate the risk.

By implementing these measures, the team ensures that the code stored in their GitHub repositories remains secure and protected against potential security risks.

Here a picture of the query was built for this use-case:

 

Here a graphical representation of the process executed during the risk analysis for this use-case:

 

 

Conclusion

In conclusion, proactive hunting is a vital aspect of cloud security posture management and an effective way to reduce the attack surface and minimize the risk of compromise. With the increasing use of cloud technology, it is essential to have a robust security solution in place, and Microsoft Defender for Cloud - Cloud Security Explorer is a valuable capability to achieve this goal. With its comprehensive data collection and easy-to-use query feature, engineers can quickly detect potential security risks and exposures in their cloud environment, ensuring a more comprehensive view of their security posture and enabling a proactive approach to threat detection and response. By following the best practices and strategies outlined in this article, organizations can significantly enhance their cloud security posture and mitigate security risks in their cloud environments.

 

Additional Resources

If you are using Attack Path and Cloud Security Explorer and want to share your feedback with the Defender for Cloud Team, please e-mail us directly from here. You can also use the resources below to learn more about these capabilities:

Reviewers

Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud

Meital Taran- Gutman, Principal GPM (Defender for Cloud)

Denis Mizetski, Principal PM Lead (Defender for Cloud)

David Trigano, Senior PM (Defender for DevOps)

Tal Rosler, Senior PM (Defender for Cloud)

Updated Feb 22, 2023
Version 2.0
  • scotti1's avatar
    scotti1
    Copper Contributor

    Thanks for sharing this insightful article! Proactive hunting is a critical aspect of cybersecurity, especially in cloud environments where the attack surface can be vast. I appreciate the practical tips and technical insights on reducing the risk of compromise through proactive hunting, and it's great to see how Microsoft Defender for Cloud's Security Explorer can be leveraged for this purpose. Looking forward to learning more from your follow-up article!

     

    I completely agree with your point about proactive hunting being a critical aspect of cybersecurity in cloud environments. With cloud adoption on the rise, it's more important than ever to take a proactive approach to security and minimize the attack surface to avoid potential threats.

     

    Your article on proactive hunting in cloud environments with Microsoft Defender for Cloud's Security Explorer seems to be a valuable resource for cybersecurity professionals looking to enhance their cloud security measures. Could you please elaborate more on the technical aspects of Security Explorer and how it can be leveraged for proactive hunting in cloud environments, maybe going into more details about the various filters available and/or a list o f items we can hunt for?

     

    Furthermore, I'm curious to know if you have any further recommendations on best practices for conducting proactive hunting in cloud environments. How can organizations stay ahead of potential threats and minimize the risk of compromise through proactive hunting in general? Do you have any additional examples of successful proactive hunting initiatives that have prevented potential threats in the cloud?

    I look forward to learning more about proactive hunting and cloud security from you and engaging in a discussion on the topic.

  • gastori's avatar
    gastori
    Iron Contributor

    scotti1 Thank you for your thoughtful response! I'm glad you found the article insightful and helpful. Microsoft Defender for Cloud's Security Explorer is a powerful tool that can be used for proactive hunting in cloud environments.

    Security Explorer allows users to filter through their cloud environment data and identify potential security risks or vulnerabilities. The filters available include many core resources and correlation points such as VMs, their Network configuration, public IP, Identities and their permission, among others. By using these filters, security teams can quickly identify and investigate potential threats before they become more significant issues.

    To stay ahead of potential threats, it's important for organizations to establish a proactive security culture and employ a layered security approach. This includes regularly updating security policies and procedures, performing regular security assessments and penetration testing, and implementing security tools like Microsoft Defender for Cloud's Security Explorer.

    As for successful proactive hunting initiatives, there are many examples of organizations preventing potential threats through proactive hunting in the cloud. For instance, one organization used proactive hunting to identify and remediate a misconfigured cloud storage bucket that was exposed to the public internet, preventing unauthorized access to sensitive data.

    I hope this additional information is helpful, and I look forward to continuing the discussion on proactive hunting and cloud security with you!

  • Sundar105's avatar
    Sundar105
    Copper Contributor

    Thanks for the great insights and 3 ways over able to proactive adapt and prioritize the vulnerabilities.

     

    Specific to this functionality apart from Vulnerability Management and Privileged access management.

     

    Are there ways to integrate other threat intelligence feeds and SOAR Integration Platforms? This would provide customized requirements and a more granular level to work over specific Cloud Security-related issues, considering the inputs from other fields.

  • gastori's avatar
    gastori
    Iron Contributor

    Sundar105 We're working on integrating feeds from Microsoft Defender External Attack Surface Management (Defender EASM). Future plans may include web API to access and consume data programmatically, therefore users can elaborate customize integrations such as with SOAR or, as you've asked, correlate with other TI feeds.